Guys,I am a looking at piloting a citrix access solution but in order to do so i need to create a full ADS (Accreditation document Set) and risk assessment to be approved by our security board...something that is not enjoyable and will take some time.I am interested in any opinions as to the security of such a project.My understanding of this is that an https connection is made to the gateway and then using one of many forms of authentication a user is then able to access published applications via a connection that is proxied through the gateway. As the gateway is located within a DMZ and as long as the security between the gateway and backend servers is strong then the connections are secure. I have done some searching around the web and come up with some answers as to the security risks although a lot of these were a few years old.Does anyone have any opinions as to the security of such a project and what if anything can be done to mitigate the risks? IDS will be running behind the firewall. I would also like to test the security of this and was wondering whether https tunnelling would pose a major problem this kind of connection.My main concern is that at present we have no incoming connections straight from the internet via this link and so all my documentation will need to be spot on to pass the board.Any thoughts welcome as got someideas just could use some educated thought from other people in the field, also any sites that show how to make citirx access secure would be good.Thanks

A previous employer of mine used Citrix Metaframe for many of their remote users. The user would just go to a web page, enter their Active Directory credentials and then they had a remote desktop with all of the applications that they use.

There are some big security benefits to this design. For one thing, you have absolute control over their workstation. At the hospital I worked at we required everyone to use our proxy server to reach the Internet, and we used group policy to push that setting out. We did have quite a few administrators, however, that would open up regedit and change that setting manually. Can't pull that on a Citrix connection. You don't have to worry about unauthorized software being installed either.

Sure, there are going to be security risks with Citrix. You have to compare these risks to the risks that come along with other remote access technologies. I think that users with a VPN connection are more likely to introduce viruses and worms into the network, for example.

Domain name hijacking is one security risk that comes to mind. If someone were to poison the DNS Cache of an ISPs and make your domain name resolve to another IP address they could set up a fake login page and harvest your user names and passwords. This is not the most difficult thing in the world to do, but it also isn't some script kiddie attack either. You could mitigate this by setting each client up with a host file that points to your web server. That way, even if someone poisoned a DNS cache, the client workstations would have the right IP address.

I'm sure there are other ways to penetrate this setup, but I don't know them well. Again, I would say that you should try to make this as airtight as you reasonably can, and then comapre that setup to the other remote access options you have and decide which one gives you the best coverage.

I was thinking the same way just wanted to make sure i was on track. The other reason for this is that i may be able to propse it as an alternative to a client requiring IPSEC system we use that is clunky at best and also controlled by a 3rd party...something i am not very keen on..

My main concern was that i have to make sure it fullfills standards set by government and other parties that, dare i say it, take so long to ratifiy anything it is out of date by the time we are allowed to use it to keep our accrediation for the connection. So if i can make this secure then i may be able to propose it as an alternative it i can get the right people to say it is ok.

Although not mentioned within work i can forsee a need for peole to be able to access allowed applications and the like from anywhere at anytime in case of a policy change or emergency. I was looking to beef up the security of not only the connection but also that data passed through it using the Cisco Secure Desktop, something i have been playing around with in my 'spare time' at work. This would mean that any data used by the connections and downloaded data is removed on log out. I was then thinking about using radius/token based authentication for ths and then take them straight to the citrix log on page.The main problem i have is the confidentiality/protective marking of the data...bane of my life..but this may overcome any problems with that aside from shoulder surfers.

See how it goes anyway....during the pilot, knowing my luck, they might say that it is not worth it. This would be a shame as i can see so much potential for it just finding it hard to put it across without mentioning the access from anywhere, which i have been 'told' should be kept quite unless asked for.....??? Something about not making more work for ourselves and some other not very good reasons. However i will keep trying to break them down from within..should be in place before they even know what is happening...